Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Evaluation of the Google Chrome Extension Security Architecture

Published byHope Butler Modified over 9 years ago

Similar presentations

Presentation on theme: "An Evaluation of the Google Chrome Extension Security Architecture"— Presentation transcript:

1 An Evaluation of the Google Chrome Extension Security Architecture
Nicholas Carlini, Adrienne Porter Felt, and David Wagner University of California, Berkeley USENIX Security Symposium 2012 曾毓傑

2 Outline Introduction Extension Security Background
Extension Security Review Evaluation of Isolated Worlds Evaluation of Privilege Separation Evaluation of Permission System Defenses Defenses Evaluation Conclusion

3 Introduction Most browser extensions are written by well-meaning developers who are not security experts Google Chrome employs three mechanisms to prevent and mitigate extension vulnerabilities Isolated Worlds Separate extension’s JavaScript heap from web page’s heap Privilege Separation Separate extension into two parts: content script and core extensions Permissions Predefine a list of permission that extension needs

4 Extension Security Background
We focus on non-malicious extensions that are vulnerable to external attacks: Benign-but-buggy extensions Two types of attacks are possible Network Attackers Add malicious data into HTTP traffic reading from extension Add HTTP script into HTTPS web-page Web Attackers Extension treat website’s data or functions as trusted Network Attacker Execute Untrusted Data Untrusted Data Execute Modified Data Original Data Modified Data

5 Extension Architecture

6 Chrome Security Model Isolated Worlds Extension access a copy of DOM elements, different heap

7 Chrome Security Model (Cont.)
Privilege Separation Core extension can access Browser API but not page’s DOM Content script can access page’s DOM but not Browser API Two components communicate with each other using Message Passing script

8 Chrome Security Model (Cont.)
Permissions A Manifest.json file listing permission needed of the extension Each element is mapping to a certain Browser API module or a domain needed to access

9 Chrome Security Model (Cont.)
Content Security Policy (CSP) Client-side HTML policy system to restrict some type of JavaScript to be executed on the page Not implemented when the research is working, so we won’t discuss this part

10 Extension Security Review
100 Google Chrome Extension is evaluated 50 most popular extensions 50 randomly selected extensions Three types of methodology is applied to the analysis Black-box testing Source code analysis Holistic testing 40% of the extensions contains vulnerabilities, totally 70 vulnerabilities are found from those extensions

11 Extension Security Review (Cont.)

12 Evaluation of Isolated Worlds
The protection of Isolated Worlds is largely succeeds Only 3/100 extensions has content script vulnerabilities Four possible security challenges needs to be noticed Data as HTML – untrusted data been inserted into page Eval – code will run in content script’s isolated world Click Injection – unwanted events would be triggered Prototypes and Capabilities – JavaScript prototype mechanism Isolated Worlds defeats two of them, but not Eval and Click Injection

13 Evaluation of Privilege Separation
Privilege Separation is intended to shield the privileged core extension from attacks 61/100 has content script, 23/61(38%) has vulnerabilities by accident or intentionally Privilege Separation protect a content script vulnerability 62% of the time

14 Evaluation of Privilege Separation (Cont.)
Possible attacks Vulnerable Content Script – ask core extension to trigger arbitrary HTTP XHRs AdBlock gets window object which has eval() functionality Web Developer insert messages into popup page, which is controlled by the core extension Website Metadata Vulnerabilities – some malicious data may contain in website metadata Direct Network Attacks – malicious data from HTTP XHRs or scripts

15 Evaluation of Privilege Separation (Cont.)
Privilege Separation fully protect 62% of extensions, still good enough to protect core extension from attacks Developers may accidentally or intentionally write bad code if there is no privilege separation

16 Evaluation of Permission System
Permission system restrict the modules can be used in core extension If the extension is compromised, attackers can only get the permissions extension predefined in the Manifest.json file Popular permissions requested by the 27 extensions with core extension vulnerabilities

17 Evaluation of Permission System (Cont.)
Impact of those vulnerabilities Critical – Run arbitrary code on user’s system High – Access DOM of all HTTP(S) websites Medium – Access DOM of financial or important personal data Low – Access DOM of specific websites that do not contain sensitive data None – Does not leak any permissions

18 Evaluation of Permission System (Cont.)
Developers would be unwilling to take the time to specify the correct set of permissions, which increase the danger once extension is compromised Permission System helps mitigate these vulnerabilities in practice, thus have a positive impact on system security

19 Defenses Four additional defenses is introduced to increase the security of extension Banning HTTP Scripts Use HTTPS to fetch script to prevent Man-in-the-middle attack Include script in the extension instead of fetching it dynamically Banning Inline Scripts Change event binding using addEventListner() instead of onClick attribute Banning Eval Use function literal instead of string in setTimeout() Use JSON.parse() instead of eval() to parse JSON data Banning HTTP XHR Use HTTPS XHR

20 Defenses Evaluation Some extensions may be broken, but some extensions may fix the vulnerabilities Recommendation: Banning HTTP Scripts and Banning Inline Script No extensions would be permanently broken

21 Conclusion Our work is the first to evaluate the efficacy of the Google Chrome extension platform Perform a security review on 100 Google Chrome extensions Isolation Worlds defeat most of the attacks

Download ppt "An Evaluation of the Google Chrome Extension Security Architecture"

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
JavaScript Objects - DOM CST 200 JavaScript. Objectives Introduce JavaScript objects Introduce Document Object Model Introduce window object Introduce.

JavaScript Objects - DOM CST 200 JavaScript. Objectives Introduce JavaScript objects Introduce Document Object Model Introduce window object Introduce.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.
Hulk: Eliciting Malicious Behavior in Browser Extensions

Hulk: Eliciting Malicious Behavior in Browser Extensions
張逸文 P ROTECTING B ROWSERS FROM E XTENSION V ULNERABILITIES NDSS 2010 Adam Barth, University of California, Berkeley Adrienne Porter Felt, University of.

張逸文 P ROTECTING B ROWSERS FROM E XTENSION V ULNERABILITIES NDSS 2010 Adam Barth, University of California, Berkeley Adrienne Porter Felt, University of.
Using Replicated Execution for a More Secure and Reliable Browser Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana.

Using Replicated Execution for a More Secure and Reliable Browser Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Presented by…. Group 2 1. Programming language 2Introduction.

Presented by…. Group 2 1. Programming language 2Introduction.

Similar presentations

Ads by Google